8 Takeaways: European Data Protection SummitAs GDPR Celebrates Its First Birthday, Privacy Experts Meet in London to Review
One year after the EU's General Data Protection Regulation officially went into full effect, data protection experts gathered in London to review the state of privacy - not just in the United Kingdom and Europe but across the world.
"Can you prove that you are compliant with GDPR one year on?" asked Ian West, COO at GDPR Associates, as an opening speaker Monday at the European Data Protection Summit in London. "GDPR is like a lifelong ailment; no matter what drug you take, you're not getting rid of it."
The many provisions of GDPR, which went into full effect on May 25, 2018, include mandatory data breach notifications whenever Europeans' personal data was or may have been exposed. Plus, EU data protection authorities can impose significant fines on any organization in the world that mishandles Europeans' personal information or otherwise fails to comply with GDPR.
Here are eight takeaways from this year's European Data Protection Summit:
You Will Be Breached
The exhortation to prepare as much as possible in advance of suffering any security incident continued to be emphasized throughout the event.
"Be under no illusion everybody; you will have a data breach," West said. "No matter what you do, through some level of human interaction, you will have a data breach. And the vast majority of data breaches happen inside a company - they're not due to hackers."
"Fifty to 90 percent of all cyber incidents are caused by employees - sometimes unintentionally, sometimes intentionally," said Rob van Straten, vice president of risk and learning for Europe, the Middle East, Africa and Asia-Pacific at the consultancy SAI Global.
Privacy Isn't Security
One problem many organizations continue to face is that they don't know what a privacy program should include.
"When I ask you about your privacy program and you start telling me about your security program, I'm going to slap you, because security and privacy are not the same thing," said data protection expert Sheila FitzPatrick, president of FitzPatrick & Associates.
One EU survey conducted in April, she said, found that fewer than 12 percent of organizations, including vendors, understood GPDR. "Every company focused on technology and tools and didn't focus on privacy," she said.
"The day after GDPR was ratified in April 2016, I went on the website of 150 of the world's biggest companies, and every single one of them had 'GDPR expert' on their website," she said. While noting that many organizations do in fact understand GDPR, she questioned whether on that day in 2016 there was even one expert on GDPR in the world.
"GDPR also became a revenue-generator," she said. "It generated more revenue than Y2K - over $60 billion - and ... a lot of these companies have now moved on to ePrivacy," a U.K. regulation set to take effect soon.
For anyone who's still not clear on how security and privacy relate, "security is one component of data privacy compliance," FitzPatrick said. "Privacy is all about an individual owning his or her data. As an organization, you're storing that data, but you never own that data."
Comply With Multiple Privacy Regulations
Since the 2016 referendum on the U.K.'s membership in the EU, the choice by a majority of British voters to leave the EU has chewed through two prime ministers while the country continues to attempt to define what Brexit means or how it might be achieved.
FitzPatrick said one British executive recently told her: "If Brexit goes through, we don't have to worry about GDPR."
Unfortunately for Brits, that's a myth, she said. If Brexit goes through, the U.K. would likely require some type of deal akin to Privacy Shield, an agreement between the U.S. and the EU that governs how U.S. organizations handle Europeans' personal data.
If Brexit does happen, organizations would also be faced with the prospect of not just having to comply with GDPR, but also with the U.K's Data Protection Act 2018. The DPA enacted GDPR but also added additional requirements for British organizations.
"The Data Protection Act of the U.K. is a bit of a beast," said Linda Thielová, data privacy counsel at OneTrust. "Especially after Brexit, we will be facing a situation where we have two GDPRs up against each other: There will be the British one and there will be the European one, and they all have obligations when it comes to transferring data into and out of these [domains]."
But that's not the only privacy regulation or in town. The U.K.'s Privacy and Electronic Communications Regulations (Amendment) 2019 (ePrivacy Regulations) came into force on Dec. 17, 2018. "That amendment was the ability to fine an officer ... where a breach has been caused by the action or inaction of an officer," West said. "The interesting thing now is they can be fined up to £500,000 ($635,000) for each infraction."
UK Faces Surveillance Challenges
On the day that GDPR went into effect, a new privacy lobbying group called noyb - for none of your business - headed by Austrian privacy rights campaigner Max Schrems filed three complaints against Facebook and its WhatsApp and Instagram subsidiaries, as well as another complaint against Google's Android operating system. Citing GDPR, Schrems accused them of forcing users to accept "coercive" new terms that undercut GDPR's protections (see: Europe's Strong GDPR Privacy Rules Go Into Full Effect).
Schrems appeared at the conference to deliver a keynote presentation on privacy in the age of Brexit.
"I was asked to do something impossible for an Austrian lawyer, which is to talk about U.K. surveillance laws," Schrems said.
The U.K. will no doubt continue its surveillance programs, which Schrems said include data sharing with Five Eyes partners, including the U.S., in a manner that might violate Europeans' human rights.
But post-Brexit, Schrems said the EU probably won't try to stand in the U.K.'s way. "To my mind there's going to be some kind of 'U.K. GDPR' but there will also be U.K. surveillance laws ... and the reality is that the European Union is probably just going to green-light it."
At the moment, the U.K. relies on an "Article 4 exception" in the EU treaty to exclude its security laws from EU oversight.
"The problem is, this only applies to EU member states," Schrems said. "Once the U.K. is no longer a member, it no longer applies, and this is the problem the U.S. is having right now too" with data transfers via Privacy Shield.
Once the Article 4 exemption no longer applies, the U.K. could be sued in European courts to block its ability to process Europeans' personal data, unless it discontinued certain surveillance practices. "I would personally not bring a case like that right now because I personally feel Brexit is enough of a mess without these issues," Schrems said. But others might take legal action.
Brace for GDPR Fines
Under GDPR, EU data protection authorities can impose fines of up to 4 percent of their annual global revenue or €20 million ($22.5 million) - whichever is greater - as well as other potential sanctions, including losing their ability to process personal data. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11.2 million) or 2 percent of annual global revenue.
So far, however, few organizations have been fined. On exception: A single large fine leveled as part of an ongoing case against Google by France's data protection authority (see: France Hits Google With $57 Million GDPR Fine).
But that will likely change soon. "Serious fines are coming over the summer," said Paul Breitbarth, director of strategic research and regulator outreach at Nymity, referring to comments made by Ireland's Data Protection Commissioner Helen Dixon to the U.S. Congress in April. Dixon said "yes, big fines are coming this summer, including with some big companies that the DPC has under investigation," Breitbarth said.
GDPR Makes Documentation Mandatory
For organizations that must demonstrate compliance with GDPR, Breitbarth pointed out, U.K. Information Commissioner Elizabeth Denham made it clear that "accountability and demonstrating compliance are an important part of a privacy program," meaning it's not just about culture but also ensuring documenting what is being done and why.
"Documentation isn't about reinventing the wheel, but a lot of what is important for your privacy program will be put in writing anyway," he said, including basic rules for how the organization has chosen to deal with data protection rules.
Stronger Privacy Laws Spread
Other countries have been watching GDPR carefully to see which parts they want to bring to bear via their own national legislation.
David Longford, CEO of Dataguidance, said many organizations that he works with have said that aspects of the California Consumer Privacy Act appear to be even stronger than GDPR (see: CCPA vs. GDPR: A CISO's View).
Other U.S. states that have considered new data protection rules this year have included Hawaii, Maryland, Massachusetts, New Jersey, Texas, New Mexico, Rhode Island and Maine - as well as Washington, D.C., Longford said.
Other countries, including Brazil, Japan and South Korea, have also been strengthening their rules around handling personal data. In South Korea, anyone found guilty of the criminal mishandling of personal data faces a prison sentence of up to five years in prison.
Keep Tackling Culture Challenges
One recurring theme throughout the event's sessions was the need for every organization that must comply with GDPR to ensure it is making cultural changes that can sustain such compliance.
Only now are organizations coming to grips with this as they emerge from the fire-fighting mode that characterized the first year of full GDPR compliance, said Karima Noren, director of the Privacy Compliance Hub, which offers templates to organizations to help them put in place better privacy practices.
"It's an incredibly difficult job, but I would say you cannot get GDPR right until you go back and get the cultural piece right," she said.
A further complication: Every organization's culture differs. "One approach we've seen that works really well is you have to make people care; you have to make them feel like they're part of the process," she said. "Unfortunately, the sort of general training that we all do once a year is not going to do the trick."
What does work, she says, is having "privacy heroes" or champions who can bring the message home to employees, as well as making sure programs have a lighter side. "You want to find a way of making it fun," she said. "You've got to play with the psychology of it."
Because whatever a company's plan for GDPR compliance, planning doesn't equal reality. "Culture eats strategy for breakfast," said Hayley Jaffrey, data privacy and quality governance director at The Quality Atlas, a consultancy based in Scotland.
In theory, everyone inside an organization would always apply their privacy training, backed by a big dose of common sense, to make sure they always did the right thing. But such an approach is fundamentally flawed, she said, noting: "Common sense is a flower that doesn't grow in everyone's garden."
As a result, she recommends organizations deploy a heavy does of "what's in it for me" when attempting to inculcate employees to do the right privacy thing.
Photographs: Mathew Schwartz